YubiKey Static Password Mode

At least one reader is having problems getting started with the YubiKey, partly because it doesn’t come with instructions. If an operating system doesn’t support using the YubiKey as a 2FA device, there is a way around this – here I’ll show the process for storing a password on the YubiKey, so it dumps the password into a text field when the button on the device is pressed.

The option to select here is ‘Static Password’. The application might then display the following options:

As I want to configure just the one device, I’ve selected ‘Scan Code’.

Static Password Configuration Screen
The YubiKey has two storage regions called ‘Configuration Slots’, either or both of which might contain a password. Before setting a password here, ensure that Configuration Slot 1 or Configuration Slot 2 is checked.

Just below that is ‘Configuration Protection’, which prevents accidental overwrites of the stored configuration. Here I’ve left it as the default, which is unprotected.

Under the ‘Password’ section there are two input fields, which are both disabled/grayed-out. To enable these, a keyboard layout must be selected.

While it’s possible to configure the YubiKey to store and dump passwords, it’s possible to have a two-factor autentication setup by using the Static Password mode to store a prefix. For example, you might set the passwords on your laptop and email accounts as ‘xyz123abc’ + [unique password], and have the YubiKey enter just the first string.

All that remains after entering the password is to click the ‘Write Configuration’ button to write the password to Slot 1.

YubiKey Personalization Tool Settings Tab
One other thing that should be mentioned, just in case the operating system is having problems detecting the YubiKey is the options in the Settings tab.

Serial number visibility determines how the operating system would read the device’s serial number, which is done by reading the hardware descriptor or by reading the API call response. Output speed throttling might also be useful, especially if using the device with an older system that has a much lower input device reading rate.

Using the Programmed YubiKey
Now to use the YubiKey to enter the password in the login screen. Short press of the ‘y’ button on the device to dump the password in Slot 1, and hold the ‘y’ key for longer to dump the password in Slot 2.

would u consider this really 2fa though? at the end of the day it’s still a password (or combo of two) can’t a malware or a keylogger find out what the password is still more easily than say authy or google authenticator otps

Categories

Profile

My name is Michael, and I’m a software developer specialising in clinical systems integration and messaging (API creation, SQL Server, Windows Server, secure comms, HL7/DICOM messaging, Service Broker, etc.), using a toolkit based primarily around .NET and SQL Server, though my natural habitat is the Linux/UNIX command line interface.
Before that, I studied computer security (a lot of networking, operating system internals and reverse engineering) at the University of South Wales, and somehow managed to earn a Masters’ degree. My rackmount kit includes an old Dell Proliant, an HP ProCurve Layer 3 switch, two Cisco 2600s and a couple of UNIX systems.
Apart from all that, I’m a martial artist (Aikido and Aiki-jutsu), a practising Catholic, a prolific author of half-completed software, and a volunteer social worker.